Related: Should reserved CVE IDs be listed in the CVE List at all? If so, do we need types of reserved status in the list?

3:20 – 3:30: Anonymized CNA Report Card - Dan Adinolfi

3:30 – 3:45: Time limit for reserved CVE IDs? Should there be different time limits for the MITRE CNA, since their model is slightly different? - Dan Adinolfi

3:45 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

Introductions and review of previous action items

The Automation WG was to email the Board to get permission for the Automation WG pilot. This was done.

MITRE was to provide the anonymized report draft the middle of next week. This was done and feedback is being collected.

Working Groups

Strategic Planning – Kent Landfield

Issues

Working Group meetings will Mondays 1-2PM on the same weeks as the regularly scheduled Board meetings.

Actions

No actions.

Board Decisions

There was no additional Board Discussion.

Automation – Kurt Seifried

Issues

The WG had a meeting 15 May 2017, and some notes from the meeting were posted to the Automation WG mailing list.

The WG is going ahead with the Git-based pilot for pushing information to MITRE.

A list of the old and new sets of states (e.g., reject sub-state, reserved/assigned/allocated states, etc.) for CVE IDs will be sent via mail for discussion.

The WG discussed the idea that data sharing should be push-based. The responsibility for updating CVE data should be on the data contributor.

Actions

The WG fleshed out a plan for an information sharing experiment using Git and will share this with the Board.

Board Decisions

The Board needs to clear the bi-directional sharing Pilot. The WG will post a proposal for the sharing Pilot to the Board list and give the Board a week to review it.

CNA Update

DWF – Kurt Seifried

Issues

DWF is working through backlog of assignment requests.

More CVE requests will be submitted to MITRE by the DWF this week.

Some CVE ID requesters are not replying to the DWF’s email messages (especially those asking for acceptance of the CVE Terms of Use), which is slowing the publishing process. DWF is looking for more reliable ways to do this.

Actions

More infrastructure will be developed in the next week.

Board Decisions

There was no additional Board Discussion.

General - Dan Adinolfi

Issues

The two-day training in Tokyo went well. 9 groups attended. The language barrier was an issue, but the group worked past it. The more technical sections went well, and the content-writing part went well. The CNA program may want
to consider translations of training materials.

Actions

None.

Board Decisions

There was no additional Board Discussion.

States Topic – Chris Coffin

See above in the Automation WG notes.

CNA Report Card Update – Dan Adinolfi

Based on Board feedback, the explanatory material should be expanded. The report card should be made it more self-contained, including more background material. Paragraph or two for each slide would be useful.
MITRE will get back to the Board in two weeks with new version.

Time limit for reserved CVE IDs? Should there be different time limits for the MITRE CNA, since their model is slightly different? – Dan Adinolfi

An automated process for tracking this would be ideal. The goal would be to revoke a CVE ID assignment after a period of time or publish after a period of time, which
will reduce the number of “stale” CVE IDs in the CVE list. MITRE will send a proposal to the Board with specifics.

Open Discussion – CVE Board

Can rejected CVE IDs be moved back into an active state?

The Board discussed this and agreed that CVE IDs should be able to change state to accommodate mistakes. Doing so would require notification and awareness that rejected CVE IDs can be changed. MITRE will issue
a 30-day notice that this policy is changing and formalize the process to manage communication about problems as they arise.

Regarding MITRE’s response to Congress’ request for specific information about the CVE program, MITRE will look into sharing their response as soon as they can.

The Board discussed the use of “Undefined behavior” in vulnerability descriptions. If a vendor/developer asserts that a vulnerability that exhibits undefined behavior is legitimate, then the CVE ID should
be assigned. Without that confirmation, a researcher should provide more proof that the undefined behavior represents a vulnerability. MITRE should push back on requesters who offer only “undefined behavior” as a description of the vulnerability.

MITRE is still working with HP to update the Board on questions related to their scope.

Action items, wrap-up – Chris Coffin

A list of the old and new sets of states for CVE IDs will be sent via mail for discussion.